enabling internal DNS

Kai Blin kai at samba.org
Mon Sep 17 01:53:17 MDT 2012

On 2012-09-17 09:19, Daniele Dario wrote:

Hi Daniele,

> I've seen during last days many discussions about enabling the internal
> DNS and found that the "procedure" to follow on a already provisioned
> system working with bind9+dlz should be to add in smb.conf

If you already have a working bind-dlz setup, you're not necessarily the
target audience. Our main aim is to save people the hassle of setting up
bind-dlz in the first place.

If you want to keep running bind-dlz, all you need to add is

server services = -dns

If you want to run with the internal DNS anyway, I suggest the following:

dns forwarder = <your forwarder ip>

And that's it. Unless you really want to allow nonsecure updates. If
that's the case, you could have been running with the internal server
for a year already, so I think that's an unlikely scenario.

Oh, and currently the internal DNS server doesn't listen on the loopback
interface, so make sure /etc/resolv.conf points to the actual IP address
of your DC.

> interfaces = w.x.y.x
> dns forwarder = a.b.c.d
> allow dns updates = nonsecure and secure

I know this was recently proposed on the mailing list, but I don't think
this is a good idea at all. Allowing nonsecure updates is the best way
of getting into all sorts of trouble if you can't absolutely trust your

I've gone through a lot of trouble to save people from having to take
risks like that, and I'm not too happy to see people recommend the
nonsecure update path now that we have better options.


Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/

More information about the samba-technical mailing list